Which as you can see on the screenshots, its locky. However, if you proceed further,download the 'roaming.exe' file and then unpack, you will end up with cerber ransomware. Also if you look at the traffic, the malware uses

Which as you can see on the screenshots, its locky. However, if you proceed further,download the 'roaming.exe' file and then unpack, you will end up with cerber ransomware. Also if you look at the traffic, the malware uses

. As far as i know, the first one is for locky, but the second one is only for cerber. Also, if i am not mistaken, cerber doesn't use any POST requests.

Probably i am missing something, so any help is welcome

It's a while that the group behind Cerber is playing also with Locky, so you see same URI to download the payload as the one with which is downloaded also Cerber. It's not the first time that I observed this behavior. What you attached here is Cerber, in fact the hashes is different from the one downloaded in the Hybrid-Analysis sandbox.